Nixpkgs security tracker
NIXPKGS-2026-0682
GitHub issue
published 3 months ago
Permalink
CVE-2026-33230
6.1 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
by @LeSuisse Activity log
- Created suggestion
- @LeSuisse accepted
- @LeSuisse published on GitHub
nltk Vulnerable to Cross-site Scripting
NLTK (Natural Language Toolkit) is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, `nltk.app.wordnet_app` contains a reflected cross-site scripting issue in the `lookup_...` route. A crafted `lookup_<payload>` URL can inject arbitrary HTML/JavaScript into the response page because attacker-controlled `word` data is reflected into HTML without escaping. This impacts users running the local WordNet Browser server and can lead to script execution in the browser origin of that application. Commit 1c3f799607eeb088cab2491dcf806ae83c29ad8f fixes the issue.
References
-
https://github.com/nltk/nltk/security/advisories/GHSA-gfwx-w7gr-fvh7 x_refsource_CONFIRM
Affected products
nltk
- ==<= 3.9.3
Matching in nixpkgs
pkgs.python312Packages.nltk
None
pkgs.python313Packages.nltk
Natural Language Processing ToolKit
pkgs.python314Packages.nltk
Natural Language Processing ToolKit
Package maintainers
-
@bengsparks Ben Sparks <benjamin.sparks@protonmail.com>